Organizations today are subject to a variety of regulations related to computer systems within the organization. Often, organizations undergo regular auditing to verify compliance with these regulations. General guidelines have been established for systems within an organization. For example, the Control Objectives for Information and related Technology (COBIT) is a set of best practices (i.e., a framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes, and best practices to assist them in improving the benefits derived through the use of information technology and developing appropriate IT governance and control in an organization. For example, some practices specify the applications that are allowed to run or that each computer system has up to date antivirus software. Other regulations govern specific industries. For example, the Health Insurance Portability and Accountability Act (HIPAA) enacted by the U.S. Congress in 1996 contains provisions that require health care providers to protect the privacy of patient information. These provisions extend to data stored on a health care provider's computer systems, and organizations often seek to verify the organization's compliance with such regulations.
Non-compliant systems are those computing systems within an organization that do not comply with one or more regulations placed in effect by the organization. There are two priorities that an organization typically has with respect to non-compliant computer systems. First, the organization wants to isolate non-compliant systems from compliant systems, to avoid spreading a problem or avoid unauthorized access to sensitive organizational data. For example, if a non-compliant computer system has a computer virus, the organization wants to avoid that virus spreading to other computer systems within the organization. Second, the organization wants to bring the non-compliant computer system back into compliance. This ensures that the user of the non-compliant computer system receives the level of service from the organization's IT resources that the user expects. For example, the user may expect to be able to access a corporate email server to check email, but for the security of other systems may be prevented from doing so if there is a problem with compliance.
Most compliance applications today focus on auditing and detection of violations of the types of regulations or best practices noted above. These applications may routinely scan an organization's network to evaluate each computer system's compliance with a best practice. The applications often generate a report that IT personnel review and act upon. For example, the IT personnel may communicate with a user of a non-compliant computer system or block the non-compliant computer system from accessing certain resources (e.g., a corporate network). Existing systems provide a lot of information, but generate a correspondingly high burden on IT personnel that later consume the information and act upon it.